Update app.js

app.js

@@ -417,6 +417,47 @@ app.post('/project/feedback', async (req, res) => {
     }
 });
 
+app.post('/project/ping', async (req, res) => {
+    // 1. Accept userId along with projectId
+    const { projectId, userId } = req.body;
+
+    if (!projectId || !userId) {
+        return res.status(400).json({ error: "Missing ID fields" });
+    }
+
+    // 2. Retrieve Project State (Hydrates from DB if not in memory)
+    const project = await StateManager.getProject(projectId);
+    
+    if (!project) {
+        // If project doesn't exist in Memory or DB
+        return res.status(404).json({ action: "IDLE", error: "Project not found" });
+    }
+
+    // 3. SECURITY CHECK: Ensure the user matches the project owner
+    if (project.userId !== userId) {
+        console.warn(`[Security] Unauthorized ping for ${projectId}. Owner: ${project.userId}, Request: ${userId}`);
+        return res.status(403).json({ error: "Unauthorized: You do not own this project." });
+    }
+
+    // 4. Retrieve Command (Only if authorized)
+    const command = await StateManager.popCommand(projectId);
+    
+    if (command) {
+        if (command.payload === "CLEAR_CONSOLE") {
+             res.json({ action: "CLEAR_LOGS" });
+        } else {
+            res.json({ 
+                action: command.type, 
+                target: command.payload, 
+                code: command.type === 'EXECUTE' ? command.payload : null 
+            });
+        }
+    } else {
+        res.json({ action: "IDLE" });
+    }
+});
+
+/*
 app.post('/project/ping', async (req, res) => {
     const { projectId } = req.body;
     // This will hydrate from DB if missing
@@ -432,6 +473,7 @@ app.post('/project/ping', async (req, res) => {
         res.json({ action: "IDLE" });
     }
 });
+*/
 
 app.post('/human/override', validateRequest, async (req, res) => {
     const { projectId, instruction, pruneHistory } = req.body;